Zoom security flaw puts you at risk (even after you uninstall)
Update: As of 10 July, Apple has released a silent update to resolve the persistent web server issue described in this article. The update does not require user interaction; your version of macOS should automatically update itself with this patch.
Security researcher Jonathan Leitschuh has discovered a major vulnerability in the popular Zoom video conferencing app that could allow malicious actors to turn on your Mac’s camera without your permission.
Worse yet, because of the way Zoom works on macOS, you could still be at risk even if you uninstall the app!
So even if you haven’t used Zoom in a while (or if you can’t remember if it was ever on your computer), read on.
In this short post we’ll tell you about the vulnerability, explain its possible effects, and tell you what you can do to protect yourself.
Nice idea, poor execution
Zoom wanted to make it easy for hosts to invite participants to an online meeting—and for participants to accept and join meetings with a click.
To accomplish this on macOS, the Zoom app installs its own web server on a user’s system so that when they click on a meeting invitation and open the link in their browser, the Zoom client is automatically launched and the meeting participant is joined to the meeting.
Zoom also set things up so that meeting hosts could specify the default video and audio settings for participants joining the meeting—including “join with webcam enabled”.
Smile, you’re on camera
It’s a little disconcerting to think that you could click on a Zoom invitation link and be automatically joined to the meeting with your webcam enabled.
But when you consider how easy it would be for a malicious actor to hide a Zoom join link in a sketchy website or bogus email attachment, perhaps as part of a phishing attack, the glaring security flaw in Zoom’s design becomes apparent.
Uninstall? Not so fast…
There’s yet another problem with Zoom’s implementation on Macs.
Remember when we said that the app installs a web server on the local system to make launching the Zoom client quick and easy? There’s a catch.
Even if you uninstall Zoom, that web server stays on your system. And if you ever happen to click on another Zoom meeting link, it will re-install the Zoom client for you and launch the meeting!
What you can do
1. Change your webcam’s default to “Off”
There is a setting in Zoom that allows you to always join meetings with camera disabled, regardless of what the host has set up as the default. In Video > Meetings, check the box which reads “Turn off my video when joining a meeting”. Any time you join a meeting, your camera will be turned off until you enable it.
Perhaps in response to all the negative publicity, Zoom as announced that the latest update of the app, released earlier this week, will ask first-time Zoom users if they want to turn off their camera before joining their initial meeting. This setting will be saved as the user default for future meetings. So if you’re new to Zoom, be sure to pay attention to which preferences you select in that first meeting!
2. Update Zoom today
The story of Zoom’s (somewhat lackluster) response to these security issues is detailed in Leitschuh’s write-up of his findings.
As mentioned above, Zoom has already taken a step in the right direction and offered users a bit more control over their client’s default settings, at least after the first use.
Zoom has also issued patches for related problems even more serious than the ones described in this post, but if you’re running an older version of the app, you may still be vulnerable.
So update now, and consider enabling automatic updates for the next couple of months—more patches may be coming
3. Ask for help
If you’ve uninstalled Zoom but are worried about that web server hanging out on your system, there is a way to kill it using terminal commands. The process is described in Leitschuh’s Medium post, linked above. If you’re not completely sure about how to do it, feel free to ask us—we’re always happy to take security questions from our readers and answer them by email or in a Checklist podcast.
Spread the word
Although this vulnerability is pretty serious, it might fly under the radar of people who don’t follow cybersecurity news. If you know someone who uses a macOS system (especially at work), be sure to share this story with them and let them know how to protect themselves.